SESSION_EXPIRED after logging in another Kibana

Elastic Stack Kibana
1

Hello,

I have a cluster with 3 Elasticsearch on it, individually it works fine.
But if I have an instance A connected, and I connect to instance B or C, I receive a SESSION_EXPIRED timeout.
I run kibana locally with docker, the same happens in chrome and firefox, they are each on separated ports (ES :9201 -> KIB:5601 | ES :9202 -> KIB: 5602 etc)
Also, if I run A on chrome and B on firefox for example, it will work fine, but that's really inconvenient.

Kibana version match Elasticsearch's, being either 7.8.2 or 7.15.0

2

It sounds like you're using different session encryption keys for different Kibana instances. Check this doc out: Use Kibana in a production environment | Kibana Guide [7.17] | Elastic

3

Thank you for your reply,

I looked into it already, but how can it work separately then ? It is 3 different kibana dockers, each with their own ES, on 3 different ports, so I can quite figure out why it would matter that they do not share the same encryption keys

4

Are you sure these 3 ES don't form a single cluster? Do you use different cluster names or ...?

5

I am pretty sure, still new to ELK but I really don't think so, here are the infos of the the Elasticsearch :

Let's call this one A

{
  "name" : "logginges-master-0",
  "cluster_name" : "logginges",
  "cluster_uuid" : "redacted",
  "version" : {
    "number" : "7.15.0",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "redacted",
    "build_date" : "2021-09-16T03:05:29.143308416Z",
    "build_snapshot" : false,
    "lucene_version" : "8.9.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

this one B

{
  "name" : "datastore-master-1",
  "cluster_name" : "datastore",
  "cluster_uuid" : "redacted",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "redacted",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

and this would be C

{
  "name" : "cdbes-master-0",
  "cluster_name" : "cdbes",
  "cluster_uuid" : "redacted",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "redacted",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
6

Also, they are all started off with a bash script.

The docker run goes like this :

sudo docker run -d --rm --net=host --name loggingkibana -e SERVER_PORT=$kibloggingeslocalport -e ELASTICSEARCH_HOSTS=http://localhost:$esloggingeslocalport -e ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME} -e ELASTICSEARCH_PASSWORD=${loggingespassword} docker.io/elastic/kibana:$loggingesversion

7

Okay, good, thanks for confirming - these are all 3 different clusters. I think I know what's going on then.

You access all Kibana instances in the same browser using the same hostname (e.g. localhost) or IP address (e.g. 127.0.0.1), but different ports (e.g. 5601, 5602), right? If so, check out this issue - Kibana authentication troubleshooting guide · Issue #83914 · elastic/kibana · GitHub and Multi-tenancy using the same host name, but different ports section specifically. Here's the excerpt:

Per RFC6265 cookies for a given host are shared across all the ports on that host, even though the usual "same-origin policy" used by web browsers isolates content retrieved via different ports. That means that if you have multiple Kibana tenants (Kibana instances that use different .kibana-x indices) that are using the same host name, but different ports then the session cookies will be shared between them.

This will lead to sporadic logouts if both tenants are opened in the same browsing context (same browser window) since if one tenant receives a session cookie that references to a session that lives in another tenant then the cookie will be treated as invalid and Kibana will clear it.

The most correct solution is to never host different applications on the same hostname because of a cookie leak. If that's not possible then the workaround is to configure different session cookie names for every tenant with xpack.security.cookieName setting.

8

It worked, so for anyone with the same issue, the best fix I could find is :

  • Change your /etc/hosts config to declare another local adress with a custom name ie (127.0.9.1 eslog) and then connect to it in your browser (http://eslog:5601/)
9

Or, as the issue suggests, use different names for the session cookies.

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.